How Cybercriminals Can Steal Your Credit Card Data

Posted by Zach Walker on May 14, 2015 4:09:00 PM
Find me on:


We live in a day and age where cybercriminals and security professionals are in a constant battle of Cat and Mouse. Cybercriminals are creating and testing new attack methods at this very moment to test and compromise an organization’s systems. As security professionals, only one mistake has to be made for a security incident to occur, while cybercriminals only have to be right one time. And when cybercriminals are successful, we as consumers feel the repercussions as our personal and financial data is stolen and used for illegal activities.

Most of us have heard about the catastrophic data breaches plaguing the U.S. or know someone firsthand who has been directly affected by the theft of payment data. However, this is just one of many ways that cybercriminals can steal the payment data of consumers and negatively impact the payment ecosystem. We’re going to take a look at five scenarios where payment card data can be stolen and eventually sold in the underground markets.


Malware, otherwise known as malicious software, including Trojan horses, worms and viruses have been compromising security systems for decades now. In the past year, Verizon reported a total of 170 million malware events occurring across the globe, with nearly 5 malware events occurring every second. These various forms of malware can impact an organization from multiple angles including email and other forms of communication; file downloads from peer-to-peer connections and through security patch exploits. Now that we know a little more about malware, let’s dive into a possible scenario. 


When a cybercriminal has found their latest victim, usually targeting an organization’s website with low levels of security, their next step is to install malware onto the site with the hope that web visitors will download the malicious software unknowingly. Once the cybercriminal is successful in implementing the malware, any future visitor of the affected website is at risk of downloading said malware. Once the malware is downloaded onto another computer, unauthorized access to the computer can be made, compromising the sensitive information stored on a computer including account names and passwords for other website, and mailing addresses.


One of the more direct and physical approaches to stealing payment card data stems from the tampering or theft of point-of-sale-systems at a retail location. Cybercriminals will use a method of distraction to help avoid detection. When there’s a window, a distracted cashier could miss that their point-of-sale system has been tampered or replaced with an identical system that is rigged to collect customer payment card data.


A cybercriminal walks into a retail store disguised as an IT vendor and approaches a retail cashier, requesting access to the store’s IT network to perform routine maintenance.  As the cashier takes the criminal to the back of the store, or takes the criminal to his or her manager to confirm their identity, another criminal enters the store. As the cashier is distracted or away from the register, the store’s original PoS system is either tampered with or replaced with a modified terminal.

Weeks later, the same criminal or an accomplice of theirs returns to the affected store. And just like before, when the time is right, the cybercriminals will return the original terminal and take back the modified PoS system to scrape the cards that transacted with modified PoS system. 


Phishing attacks, another form of social engineering, continue to trick consumers into providing access to sensitive data. At one point or another, we’ve all received a suspicious email or phone call asking us to confirm certain parts of our identity or account information. And while the vast majority of U.S. consumers immediately delete suspicious emails and ignore calls from unknown numbers, there are consumers that still fall for these schemes. In the same Verizon report that was mentioned earlier, 23 percent of phishing email recipients would open a phishing email and 11 percent would then click on links or attachments.


A cybercriminal will draft and send an email, impersonating a business or organization asking for your personal or financial information. Within the email, various click bait links or attachments are included. And when said attachment is clicked, malware is downloaded instantly to the computer and if untraced, will continue to compromise confidential information on the computer. This malware can also include a keylogger that allows cybercriminals to track every keystroke that is entered on the affected computer, essentially nullifying the strongest of passwords.


Since the wide adoption of magnetic stripe credit cards in the 1980’s, the scenario of a waiter or waitress stealing credit card data has been a focus of concern for cardholders in the U.S. for decades. Originally, fraudsters would use a sheet of carbon paper to copy the payment information of a customer’s credit card in the back of the restaurant, to make future fraudulent transactions. Fast-forward to the 21st century and while the problem still remains, the methods in which fraudsters carry out their crimes has changed.


A cardholder on a cross-country road trip stops at a rest stop for a quick bite to eat. After a great meal, the cardholder hands the waiter their credit card for the check. While waiting for the check to return, the waiter swipes the customer’s card through the rest stop’s register authorizing the legitimate transaction. Unknown to the patrons of the rest stop, the waiter has a small card skimming device affixed to his belt that he can use to store your payment information to be used at a later date. The affected cardholder receives their credit card and gets back on the road, unaware of future fraudulent charges that are likely to occur.


Gas stations across the nation continue to affix anti-fraud stickers at the pump, to deter fraudsters from accessing a section of the gas pump that contains the credit card reader, to install a credit card skimmer. This has been such a problem for gas stations across the nation that the 2015 EMV deadline in the U.S. has been extended to October of 2017 for gas station and petroleum providers. Because of the way gas pumps are designed, it is much more difficult for the average cardholder to determine if their gas pump has been tampered with.


A cybercriminal drives to a nearby gas station late at night and pulls up to a pump, appearing to make a legitimate transaction. While the gas station attendant struggles to stay awake, the cybercriminal breaks into the gas pump and installs a card skimmer over the card reader. From this point on, every card that transacts with this gas pump will have its payment information stored for retrieval at a later date.  A few days later, either the same criminal or an accomplice returns to the gas station, opens up the compromised gas pump and retrieves skimmer.

These are just five unique scenarios in which a fraudster or cybercriminal can steal credit card data from everyday scenarios. While these scenarios can all be prevented due to a variety of reasons, we as consumers need to be aware of potential traps in our daily lives that can compromise the integrity of our payment information. For more information on where cardholder information is being compromised and the resulting fraudulent spending, check out our latest infographic here covering the top five most compromised merchant categories!

New Call-to-action  


Topics: Industry News